[Openstack-security] [Bug 1381405] Re: user token is not checked for UUID type before sending request for token validation
Abu Shohel Ahmed
1381405 at bugs.launchpad.net
Thu Oct 16 08:26:01 UTC 2014
Everything which is not in PKI format is treated as a UUID token and
send for token validation to the Identity API. IMO, here exist a
program flow based on an untrusted input (Token) without any sanitation
check. Any garbage value can take this path possibly
consuming/exhausting system resource.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1381405
Title:
user token is not checked for UUID type before sending request for
token validation
Status in OpenStack Identity (Keystone) Middleware:
Incomplete
Bug description:
user token is not checked for UUID type before sending token
validation request.
def _validate_token(self, token, env, retry=True):
...
if cms.is_pkiz(token):
verified = self._verify_pkiz_token(token, token_ids)
data = jsonutils.loads(verified)
expires = _confirm_token_not_expired(data)
elif cms.is_asn1_token(token):
verified = self._verify_signed_token(token, token_ids)
data = jsonutils.loads(verified)
expires = _confirm_token_not_expired(data)
else:
data = self._identity_server.verify_token(token,
retry)
The 'else' allows any value in token which is not in PKI format be sent to the Identity API for token
validation. A sanitation check here for UUID type can reduce the load for token validation
towards Identity API
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystonemiddleware/+bug/1381405/+subscriptions
More information about the Openstack-security
mailing list